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INTEGRATED VISUALIZATION OF SECURITY 
INFORMATION FOR AN INDIVIDUAL 

BACKGROUND OF THE DISCLOSURE 

Reference to Related Application 

The present application is based on provisional application Serial No. 60/374,471, filed 
April IS, 2002. the entire contents of which are herein incorporated by reference. 

1 . Field of the Disclosure 

The present disclosure relates generally to information security access and in particular, to 
integrated visualization of security information for an individual. 

2. Description of the Related Art 

Various types of systems exist for locating individuals within a facility. For example, 
systems exist in which remote badges are coupled to personnel to be located. The badges include 
transmitters for transmitting identification information identifying the personnel. Receivers 
spaced throughout a facility are capable of receiving signals from the badges. A central 
processor is capable of receiving messages from the receivers for determining the location of 
each of the badges. 

Various types of systems also exist for controlling access to secured areas, including 
badge reader systems, retina and/or iris scanner systems, finger print scanner systems, etc. 

However, a need exists for a system of monitoring personnel within an environment and 
more specifically, for determining movements of personnel and for determining when an 
individual strays from their normal movements, which might indicate that the individual is up to 
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no Hood. 



SUMMARY 

A monitoring system and method is disclosed. The monitoring method comprises 
detecting instances of physical presence of at least one individual, storing location information 
identifying the at least one individual and information related to the instances, displaying on a 
display a visual image of a physical environment and displaying on the display an image 
depicting the at least one individual's movements through the physical environment based on the 
stored location information. 

The instances of the physical presence of the at least one individual may be detected by at 
least one secure access device which monitors access to areas. The secure access device may 
comprise at least one of a badge reader, iris scanner, pupil scanner, fingerprint scanner, voice 
recognition, face recognition system and a human guard. The instances of the physical presence 
of the at least one individual may be detected by monitoring usage of an Information Technology 
(IT) system. The information related to the instances may include a location of the individual, 
determined by determining a location of a terminal the individual has used to access the IT 
system. The instances of the physical presence of the at least one individual may be detected by 
monitoring usage of at least one piece of office equipment. The at least one piece of office 
equipment comprises at least one of a facsimile, copier, printer and telephone. The instances of 
the physical presence of the at least one individual may be detected by at least one of a secure 
access device which monitors access to areas, monitoring usage of an information technology 
system and monitoring usage of a piece of office equipment. 



The visual image may be a simulated three-dimensional image of the physical 
environment. The visual image may be a simulated two-dimensional image of the physical 
environment. The at least one individual's movements may be depicted as paths used by the at 
least one individual as the at least one individual has moved throughout the physical 
environment. The paths showing the individual's movements may be chronologically displayed, 
gradually showing the individual's movements from point to point over a course of time. As a 
path is repeatedly shown, the path may gradually begin to fade, leaving paths taken less 
frequently highlighted. The information related to the instance includes information identifying 
at least a location and time that the individual's presence was detected. 

the method may further comprise monitoring the at least one individual's usage of 
various portions of an information technology (IT) system, storing usage information relating to 
the individual's usage of the various portions of the IT system and displaying at least a portion of 
the stored usage information as a bar graph showing a relative number of times the at least one 
individual has accessed different categories of the IT system over a period of time. 

BRIEF DESCRIPTION OF THE DRAWINGS 

A more complete appreciation of the present disclosure and many of the attendant 
advantages thereof will be readily obtained as the same becomes better understood by 
reference to the following detailed description when considered in connection with the 
accompanying drawings, wherein: 

Figure 1 A is a block diagram of a security monitoring system according to an 
embodiment of the present disclosure; 



Figure IB is a block diagram of a visualization display system according to an 
embodiment of the present disclosure; 

Figure 2 shows a three-dimensional display of an image of a building; 

Figure 3 is a three-dimensional display of an exploded floor plan of the building shown 
in Fig. 2; 

Figure 4 is a block diagram of a Information Technology system;* 
Figure 5 A is an example of an IT access log; 
Figure 5B is an example of a physical access log; 

Figures 6-12 are various displays that can be presented to users of the present system; 
Figure 13 is a graphical user interface; 

Figure 14 is a flow chart for describing the creation of the physical access log; 
Figure 1 5 is a block diagram depicting various exemplary types of office equipment to 
which various aspects of the present disclosure may be applied; 

Figure 1 6 is a block diagram of an office equipment access log; 
Figures 1 7 A- 1 7C are displays depicting office equipment usage; 
Figure 1 S is a block diagram of a video surveillance system; and 
Figure 19 is a display depicting usage of a video surveillance information. 

DETAILED DESCRIPTION 

In describing preferred embodiments of the present disclosure illustrated in the drawings, 
specific terminology is employed for sake of clarity. However, the present disclosure is not 
intended to be limited to the specific terminology so selected and it is to be understood that each 



specific element includes all technical equivalents which operate in a similar manner. 

Fig. 1 A depicts an overall block diagram of a system according to an embodiment of the 
present disclosure and is referred to generally as security monitoring system 1. Security 
monitoring system 1 includes a visualization display system 10 and a database 12 which may be 
located, for example, at a central monitoring station 4. Database 12 may actually be several 
databases provided at one location or at various locations. Data from database 12 can be 
accessed, processed and used to construct images displayed on a display associated with 
visualization display system 10. For example, as will be described on more detail below, various 
types of security information retrieved from database 12 can be displayed to a user of security 
monitoring system 1 via visualization display system 10. The visualized data provides a 
comprehensive and easy to understand visual image of an individual's access history to floors 
and/or rooms of a building or area. The system may also display various other types of 
information relating to the individual such as their Information Technology (IT) utilization habits 
and information relating to their office equipment usage, etc. Various types of security data can 
be input and stored in database 12, including data from physical security devices 16 and data 
from IT monitoring system IS. Database 12 may also store employee information 14 such as 
name, title, date of birth, social security number, phone number, email address and residential 
address, etc. This employee information may also be displayed by visualization display system 
10. 

As shown in Fig. 1 B, visualization display system 10 may include a display 2, a computer 
or processor 6. an input device 8 which may include one or more of a keyboard, mouse, etc. and a 
storage device 9 for storing software including code for implementing the systems described in 



the present disclosure. Storage device 9 may be internal or external to processor 6. Visualization 
display system 10 is capable of displaying two and/or three-dimensional images. 

A physical security device 16 may be any type of device capable of providing information 
on the whereabouts of a person. Examples of physical security devices include access point 
systems that provide secure access to buildings, floors or rooms of buildings, etc. One type of 
access point system may require a person desiring to enter a building, floor or room of the 
building to present some type of identification prior to being granted or denied access. Access 
point systems may include badge reader systems in which an employee, for example, presents a 
badge prior to being granted or denied access to the building, room or floor. Retina scanners, iris 
scanners, finger print scanners, face and/or voice recognition, etc. may also be used as effective 
access point devices for identifying a person prior to granting or denying them access. In its most 
basic form, an access point system may simply consist of guards positioned at entry points at 
which a person presents some form of identification prior to being granted or denied access. 

Other types of physical security devices include location determining type devices. These 
types of dev ices are capable of monitoring the location of individuals. An example of a location 
determining type dev ice is a face or voice recognition system. In these types of systems, cameras 
and/or microphones can be installed within rooms of a building. By capturing an image or voice 
pattern of an individual in the room, the identity of the individual can be determined by 
comparing the image or voice pattern to a database of known image or voice patterns. 

Another location determining type device might include the use of badges equipped with 
an active or passive circuit. When an individual wearing the badge enters a building, room or 
floor having an appropriate sensing system capable of sensing the badge, the identity of the 



individual can be determined. For example, each badge might emit a low power signal, each 
coded differently for each individual. In this way, each individual can be monitored as they 
move throughout a building or into and out of specific rooms in the building or area. A Global 
Positioning System (GPS) might also be used. For example, each employee might be given a 
GPS receiver and a transmitter which they are required to always have in their possession. The 
GPS receiver is capable of determining exactly where the employee is in the building. That 
information can then be automatically transmitted to central monitoring station 4. 

Although the present disclosure will be described mainly by reference to the use of badge 
reader systems, it will be appreciated that any combination of other types of systems including 
those mentioned above might be used in addition to or as alternatives to the badge reader 
systems. 

Briefly, in a badge reader system, each employee of a company is issued a badge. The 
badge includes various types of information. For example, the badge might include the 
employee's name and/or other type of information uniquely identifying the employee (e.g., an 
employee ID number). A contractor or visitor to the company may be issued a temporary badge 
uniquely identifying them. The employee's, contractor's or visitor's badge might also include 
information indicating the various portions of the building or grounds that the person holding the 
badge has access to. For example, an employee might be given broader access to various 
portions of the building than a visitor. If a security level system is in place, an employee with a 
"secret" security clearance might be given broader access to various portions of the building than 
an employee with a "confidential" security clearance. 

The information on the badge might be visible on its face, or it might be stored on the 



badge electronically on a microchip or magnetically on a magnetic strip. The information might 
be coded for added security. In the alternative, the various types of access the person can be 
granted can be stored at one or more remote sites. When a person presents their badge which 
identifies them in some manner to a badge reader, their access privileges can be retrieved and the 
person can be granted or denied access accordingly. 

Badge readers are located at various entrances to rooms or floors within the building. 
When the person possessing the badge desires to enter an area, the badge is swiped through the 
badge reader. The badge reader is capable of reading information contained on the badge. Each 
badge reader is connected to central monitoring station 4. The connection can be a hard-wire 
connection, a network connection, a wireless connection, etc. When the badge is read by the 
badge reader, information is sent to the central monitoring station 4. For example, if the badge 
contains information indicating the badge holder's access privileges, that information can be sent 
to the central monitoring station 4. The information can then be compared with that individual's 
information which is stored in a database accessible by the central monitoring station 4. If the 
access privileges are confirmed at the central monitoring station 4, confirmation information is 
sent back to the badge reader system, indicating that access should be granted. The badge holder 
is then granted access to the area. For example, an electronic deadbolt on a door to the area can 
be remotely triggered from the central monitoring station 4 or from the badge reader itself. If the 
individual's badge information can not be confirmed, the individual is denied access to the room. 
A visual and/or audio indication such as a flashing red light, a buzzer, etc., may be provided on 
the badge reader to signify that access has been denied. 

Another type of badge reader system might store employee access privileges locally, and 
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either grant or deny access to the area based thereon. For example, upon the badge being 
scanned, the badge reader can access a local or remote database and using the identity of the 
person as indicated on the badge, determine whether the person identified on the badge should 
be granted or denied access to the area. If access privilege information is contained on the badge 
itself, it can be retrieved from the badge by the badge reader and compared to the level of access 
privileges required to enter that room. 

Each badge reader is capable of communicating information to database 12 via a hard 
wire or a wireless connection. The badge readers may be connected to each other and database 
12 via a network. When a person presents their badge to the badge reader to attempt to access 
the area^ the badge reader will send information to the database 12 located at the central 
monitoring station 4 identifying the room or floor the badge reader controls access to, identifying 
the person and detailing the date and time that the person was granted or denied access. Database 
12 compiles a physical access log of this information for each employee, visitor, contractor, etc. 
The present disclosure is not intended to be limited to any particular type of badge reader system 
and the above-mentioned systems are described by way of example only. 

Fig. 2 depicts a three-dimensional image of a type of environment to which the present 
system and method may be applied. In this example, the environment is a corporate headquarters 
building X. A three-dimensional image of the corporate headquarters building can be displayed 
on display terminal 2 of visualization display system 10. Double clicking on the building X, 
presents a three-dimensional floor plan of the building X, as shown in Fig. 3. The building has 
multiple floors F1-F7. Each floor might have multiple rooms, as shown. Depending on the 
desired security in the building, various type of physical security devices might be provided in 



the building. For example, the white dots labeled 01-24 represent security access points in the 
building. In the following description these security access points are described as badge reader 
type systems. However, as mentioned above, it will be appreciated that various other types of 
systems might also be used. As shown, the security access points are specific locations in the 
building, usually entrances to a floor or room, at which each person must be cleared prior to 
entering that floor or room. For example, security access point 01 is a badge reader located at the 
main entrance on floor F2 of building X. Floor F2 is the main floor of the building and also 
includes entrance security access points 17, 18 and 20. In addition to entrance access points 01, 
17, 18 and 20. main floor F2 may include access points 19 and 21 for gaining access to specific 
rooms on floor F2. When an employee, for example, enters the building or room at one of these 
access points, they are required to present their employee badge at the badge reader station. The 
badge reader will automatically send information to central monitoring station (database 12) to 
create a log (a "physical access log") of information identifying the employee, the security access 
point and indicating the date and time that the employee entered through that access point. 

As shown in Fig. 3, floor F3 has security access points 02 and 1 1 so that when a person 
exits the elevator at that floor, they are required to present their badge to gain access to the floor. 
Floor F3 also includes security access points 14-16 for gaining access to specific rooms on that 
floor. Each floor and each room on a floor having a security access point might require a 
different level of security access clearance for gaining access. Floor F3 might also have 
location determining devices 31 and 32 for sensing a unique signal being emitted from each 
employees badge. When an employee possessing such a badge enters that portion of floor F3, 
the badge is sensed by one of devices 31 or 32, and information can be sent to the central 
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monitoring station database 12 identifying the individual. This information as well as the date 
and time of the identification can be added to the physical access log of information for that 
employee. Floor F4 includes security access points 03 and 10 for gaining access to floor F4 and 
access point 1 3 for gaining access to a room on that floor. Floor F5 includes access points 04 
and 09 for gaining access to floor F5 and access point 1 2 for gaining access to a room on that 
floor. Floor F6 includes access points 05 and 08 for gaining access to floor F6. Floor F6 also 
includes a voice recognition system 33. When an employee is in that portion of floor F6 and 
speaks, system 33 will capture the voice pattern and use it to determine the identity of the 
individual from a database of voice patterns. Appropriate information can then be sent to central 
monitoring station database 12 identifying the individual as well as identifying where and when 
the individual was detected. Floor F7 includes access points 06 and 07 for gaining access to 
floor F7. Floor Fl includes access points 22-24 for gaining access to rooms on that floor. 

Although depicted as three-dimensional images, it will be appreciated that the building 
and/or floors could also be depicted in two-dimensional form or in a combination of two and 
three-dimensional forms. For example, the system maybe arranged so that the floors are 
originally displayed in three-dimensional form as shown in Fig. 3. If the user desires to view a . 
particular floor in more detail, the user clicks on the floor, and a two-dimensional image of the 
floor plan is displayed, the same information displayed on the three-dimensional image can 
also be displayed on the two-dimensional image. 

In addition, although all floors are shown as being displayed on display 2, it will be 
appreciated that not all floors may be displayed at once. For example, zoom in and zoom out 
controls may be provided, allowing the user to zoom in and out on floors which are of particular 
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interest, prov iding the user with a more detailed floor plan and view as the user zooms in. In 
addition, the system may he arranged so that a floor is not displayed or is dimly displayed until it 
is required to show an access on that floor. In this way, extraneous information (e.g., floors that 
have not been accessed) need not be displayed, providing an even clearer picture for the user. 

As shown in Fig. 1. database 12 may also collect and store information from IT 
monitoring system 1 8 for creating the IT assets logs. Companies today often us some sort of 
system for collecting enterprise-wide security and system audit data from various portions of 
their IT system assets including UNIX, Windows NT and 2000, Web servers, mainframe 
systems, etc. This makes it possible to collect and store information regarding the usage of these 
assets. The company can thus have easy access to information for reporting and detecting 
unusual or malicious activities on the system. For example, a company might have different 
departments with particular IT assets being accessible only by employees in those departments. 
For example, a company's IT assets might be categorized as Sales, Accounting, Client 
Information. Human Resources, Development, Email. Web, etc. Each category of IT assets 
might normally only be accessible to certain individuals. When an IT asset is accessed or 
attempted to be accessed by an employee, information identifying the person attempting the 
access as well as the category of the access can be stored, for example, in database 12. In this 
way, a log can be maintained indicating which assets or categories of assets each employee 
normally accesses during the course of a day. This information can be useful in identifying when 
an employee strays from their normal accesses as will be described later below. 

The IT asset information might also be used to provide additional information for the 
physical access log. For example, when an employee logs onto a terminal, information 
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identifying the terminal (and/or terminal's location) and information identifying the employee 
can be sent to the central monitoring station 4 to be stored in the employee's physical access log. 

An example of a companies IT system 41 is shown in Fig. 4. The IT system includes one 
or more networks 40. Computer terminals 42a-42n may be provided throughout various rooms 
in the building. The terminals 42a-42n may be connected to the network 40 via, for example, a 
hard wire and/or a wireless connection. Also connected to the network are one or more databases 
44. One or more Web IT Assets 46 such as, for example, web servers and one or more Email IT 
assets 49 such as email servers may be provided on the network, allowing employees access to 
the Internet and their email. Various types of Sales IT assets 50 might also be provided. For 
example, the Sales IT assets might include servers, databases, specific applications, etc. 
dedicated to usage by those employees in the sales department. Various types of Accounting IT 
assets 52 might be dedicated to usage by those employees in the accounting department. Client 
Information IT 54 might include one or more databases storing information on each corporate 
client. Client Information IT. 54 might normally only be accessible by members of senior 
management. Human Resources IT assets 56 might include servers, databases, applications, etc. 
specific to the human resources department and accessible by only those employees in that 
department and managers of other departments. Development IT assets 58 might include servers, 
databases and applications for use by the development staff. 

The IT system 41 may have one or more ways of granting usage rights to an employee. 
For example, each employee might have a password which they enter at a terminal prior to. being 
granted access to the network 40. IT monitor 60 monitors the network and maintains a log of the 
usage of the various IT assets by each employee. For example, the IT monitor 60 may provide 
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information identifying the terminal an employee has used to log onto the network and detailing 
the date and time that the employee was granted or denied access to the network. This 
information (IT access log) might include how long the employee was logged onto the computer 
terminal or network, etc. as well as information identifying what category of IT assets were 
accessed. 

Examples of portions of an IT access log and a physical access log are shown in Figs. 5A 
and 5B. respectively. These IT access logs and physical access logs can be collectively referred 
to as security access history information. As shown in Fig. 5B, on March 1, 2002, employee 
"John VVey" entered the building at 7:55 am using the main entrance security access point 01 (see 
Fig. 3). At 8:05 am. the employee was then granted access to floor F5 via security access point 
04. As shown in Fig. 5 A, it can be seen from the IT logs the employee then used a computer 
terminal having terminal ID 001 to access an IT asset categorized as Human Resources. The 
asset was accessed from S:0S am to 8:30 am. The employee was then granted access to floor F7 
via security access point 06 (see Fig. 5B) at 8:35 am. The employee then accessed a 
Development IT asset using a terminal having a terminal ID 004, between 9:45 am and 10:45 am 
and again between 1 1 :30 am and 1 1 :40 am. At 12:40 pm, the employee again entered the 
building using the main entrance security access point 01, perhaps returning from lunch. At 
12:44 pm, the employee was granted access via security access point 03, to Floor F4. Between 
12:46 - 12:49 pm and between 1:15 and 1:17 pm, the employee logged on via a terminal having a 
terminal ID 002 and used the email IT assets, to perhaps access or send email. At 1 :30pm, the 
employee used security access terminal 05 to enter floor F6. At 1 :49, the employee used security, 
access terminal 03 to again enter floor F4. The employee then accessed the email assets from 
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2:00 - 2:05 pm and again from 2:30 - 2:34 pm using the terminal having terminal ID 002. The 
employee also accessed the Web server assets from 2:10 - 2:45 pm, from 2:50 - 2:59 pm, from 
3:15 - 3:38 pm. from 3:45 - 3:50 pm and from 4:10 - 4:22 pm, all of these accesses being 
performed using a computer terminal having a terminal ID 002. At 4:25 pm, the employee used 
security access point 04 to access floor F5. From 4:30 - 5:15 pm, the employee assessed 
development IT assets using terminal 004. There are no more log entries for that day, indicating 
that the employee likely left for the day. 

Although shown herein as separate logs, it should be understood that the security access 
history information might actually consist of one log chronologically showing an employee's 
physical accesses as well as their IT accesses. 

Although it may not be too difficult to review these logs to determine where an employee 
was and what they were doing for any given day, it would be extremely time consuming and 
burdensome to view the logs in this manner over the course of a month or even a week. It would 
be even more burdensome to find patterns in the employee's movements and actions and to 
locate deviations in those patterns that might indicate that the employee was up to no good. The 
present system presents this information in a visual display that shows the employees movements 
throughout the building over the course of a set period of time, so that those movements can be 
easily tracked and analyzed. A visual display is also provided depicting the employee's IT 
access for any period of time, providing additional key information regarding the employee. 

The present system thus provides a way of effectively tracking employee movement 
through the building and/or usage of the company's IT systems. When an employee is under 
suspicion for some activity, or simply as a matter of a routine check, security personnel can 
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retrieve the employee's security history information and the information can be displayed in an 
easy to understand visual format. 

When the system is started, the user (e.g., a security manager) is presented with a 
graphical user interface (GUI), as shown in Fig. 13, requesting the user to input various types of 
information. For example, GUI may be displayed on display 2 of visualization display system 
10. The user is requested to input the name of the employee they wish to investigate in box 100 
("John Wey"). The user is also requested to input the starting date in box 102 ("March 1, 2002") 
and the ending date in box 104 ("March 31, 2002") of the period of time the user desires to view. 
After the user is satisfied with these entries, the user then clicks on the START button 106. In 
response, the system retrieves the employee's security access history from the database 12 for 
that period of time, so that the information can be displayed on an easy to comprehend intuitive 
display format. 

The various types of information, including information from the physical security 
devices 1 6. the IT monitoring system 1 8 and the employee information 14 can be presented to the 
use in a display as shown in Fig. 6. The system presents the physical security access information 
chronologically as a series of images, presenting the employee's access paths through the 
building. The display can be controlled using VCR type controls. At the bottom of the display 
are the video controllers allowing the user to scan forward or backward in time to observe 
employees movements throughout the building over the course of days, weeks, months, etc. Box 
60 displays the earliest date for which log information is to be displayed. In this case, March 1, 
2002 was entered by the user. Box 61 displays the time of the first physical security log entry 
occurring on March 1 . A user can also modify the earliest date and time by placing the curser in 
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box 60 or box 61 and typing in the earliest date and time desired. Box 71 displays the end date 
input by the user. In this case, March 31, 2002 was entered by the user. Box 72 displays the time 
of the last physical security log entry occurring on March 31. A user can modify the last date 
and time by placing the curser in box 71 or box 72 and typing in the last date and time desired. 
The times may be displayed in military' time or in ordinary time. Box 62 displays the date and 
box 70 displays the time currently being displayed. Clicking on fast rewind button 63 rewinds 
the display in one day increments. Clicking on rewind button 64 rewinds the display in hourly 
increments. Clicking on button 65 pauses the display. Clicking on button 66 stalls the display 
moving forward and clicking on button 67 stops the display. Clicking on button 68 forwards the 
display in hourly increments. Clicking on button 69 fast forwards the display in daily 
increments. Also shown on display 2 is a window 75 having personnel information pertaining to 
the employee being investigated. The information may include the employee's picture, name, 
employee identification number (12345) and title (Developer). The information might also 
include the employee's social security number, date of birth (DOB), home phone number, email 
address and their contact address where they can be reached. 

As shown in Fig. 6, security access point 01 is highlighted indicating that the employee 
entered the building at this point on March 1, 2002 at 7:55 am (also see Fig. 5B). As shown by 
the physical security log in Fig. 5B, the employee then entered floor F5 at 8:05 am using security 
access point 04. The display thus changes to the display as shown in Fig. 7, highlighting a path 
extending from point 01 to point 04. The employee then entered floor F7 at 8:35am using 
security access point 06. The display thus changes to the display as shown in Fig. 8, highlighting 
the path extending from point 04 to point 06. This continues for each of the physical security 
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access points, until the user stops the display by clicking on stop button 67 or the end of the 
period to be displayed has been reached (March 3L 2002). The display automatically highlights 
the employee's routes or paths through the building incrementally, hour by hour, day by day, 
showing the paths that the employee follows. Eventually, as the system determines that a path is 
routine, that path will be faded out, so that only paths which are out of the ordinary are 
highlighted. In this way. the user can quickly determine where the employee has strayed from 
his ordinary course of travel throughout the building. 

The system can use default values or user set values to determine when to fade out a path. 
For example, a fade value might be set to 10, indicating that if the same path occurs more than 
ten times over the course of the period of time being examined, the path will fade. A GUI can be 
provided, so that this value can be increased or decreased by the user as desired. The actual fade 
might occur gradually. For example, as a path occurs more often, it will gradually fade more and 
more. As an alternative to fading paths that occur more often, other visual indications might be 
used. For example, the paths might begin as one color and as the path occurs more and more 
often, the color might change to another color or to different colors, depending on how often the 
path has occurred. A color key can be provided at the bottom of the display, indicating what 
each color means. 

Displayed in the lower lefthand comer of display 2 is a visualization of the employee's 
IT access history showing the categories of IT assets the employee accessed during the course of 
the day. For example, as shown in Fig. 9, on March 3 1 , the employee did not access the Human 
Resource, Accounting. Client Information or Sales IT assets. However, the employee did access 
the Web IT assets and Email IT assets and to a lesser degree, the Development IT assets. 
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Lets assume that after the month of data has been displayed, it is seen that one path is 
highlighted, indicating that an anomaly has occurred in the employee's movements. For 
example, as shown in Fig. 9, the path from security access point 03 (floor F4) to security access 
point 13 is highlighted. In this embodiment, when a path first occurs, it is highlighted as a white 
path. As a path occurs more and more often, the path is filled in or darkened. Accordingly, paths 
which do not occur often remain highlighted as white paths. As mentioned above, other 
highlighting schemes may be used. The user clicks on the highlighted path and the display 
automatically returns to the date and time that month that the path first occurred. In this 
example, the display shown in Fig. 10 is then presented to the user. It is seen that this path first 
occurred on March 7, 2002 at 2 am. Clicking on that path again will change the display to the 
date and time that the path next occurred. If that path did not occur again, the display will not 
change. As shown in Fig. 10, by viewing the IT assets that the employee accessed that day, the 
user sees that in addition to assessing the Development, Email and Web IT assets, the employee 
also accessed the Client Information IT assets. We know that this employee is a developer and 
normally would have no reason to attempt to use the Client Information IT assets. This employee 
can then be questioned regarding this matter, or can be watched more carefully for any suspicious 
activity. The user may be given the opportunity to flag the anomaly, so that it can easily be 
retrieved for viewing at a later time. For example, after clicking on the highlighted path, the user 
may be presented with a GUI asking the user if they desire to flag the anomaly. If the user 
desires, they can name the anomaly for easy reference at a later time. 

Now. lets assume that the after the month of data has been displayed, no paths are 
highlighted. This indicates that the employee has not deviated from his normal movements 
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through the building. However, perhaps looking more closely at the times the employee was in 
the building will disclose something. The display 2 may also include a clock button CL 90, as 
shown in Fig. 1 0. Clicking on button 90, the user is presented with a clock dial 92 as shown in 
Fig. 1 1 . Clock dial 92 includes 24 hour markings as shown. The clock shows the employee's 
physical security log events for each hour of the day. Each time the user clicks on play button 66 
steps the clock forward 24 hours so that each days physical access occurrences can be seen. In 
Fig. 1 1 , the physical access occurrences for each hour of that day (March 7, 2002) are seen on the 
dial face as vertical bars. Also shown in the bottom left hand comer of the display are the 
employee's IT asset access occurrences for that day. We see that in addition to having physical 
access occurrences during normal business hours (8 am - 6 pm), the employee also had physical 
access occurrences that day at 1 am and 2am. We also see that the employee has accessed the 
Client Information IT assets on that day. The user clicks on the Client Information bar 92 and the 
view switches to the time that the first access of Client Information IT assets occurred. In this 
example, the view shown in Fig. 12 is displayed. We see that this access occurrence to the Client 
Information IT assets occurred at 1 :54 am and we know that the employee was in the building at 
this time. This again indicates suspicious activity. The employee can then be questioned or 
monitored more closely. 

Fig. 14 is a (low chart for describing a system for obtaining physical access information 
and creating a log thereof. In Step SI, a security access query is received from a security access 
station, at the central monitoring station 4. As noted above, this query can include the name of 
the parly desiring to gain access to an area and or some other form of identification uniquely 
identifying the party (e.g.. an employee ID). The security access query also includes location 



information, identifying the location issuing the query. In response, the central monitoring 
station 4 will access a database to retrieve information for that employee, indicating their security 
access clearance and/or whether they are allowed access to that particular area (Step S3). If the 
party is entitled access to that area (YES, Step S5), information is returned to the security access 
station indicating that the person may be granted access (Step S9). If the security access station 
is in the form of a security guard, the guard can then allow the party to enter the area. If the 
security access station is in the form of a badge reader, the badge reader will unlock the door in 
response to the information returned from the main monitoring station. If access has been denied 
(NO, Step S5), the party is not permitted access to the area and information is sent to the security 
access station indicating that access should be denied (Step S7). In the case of a security guard, 
the guard can then inform the party that they are denied access. In the case of a badge reader, a 
visible indication such as a red light can be displayed to the party, informing them that access is 
denied. The central monitoring station 4 also adds information to that employee's physical 
access log (Step S 1 1 ) identifying the specific security access station that issued the query, the 
date and time of the query, and whether access was granted or denied. 

.Various other types of information may also be used to monitor an individual's location 
and/or their usage habits of, for example, office equipment, etc. Buildings, offices, warehouses, 
airports, etc. often include multiple types of office equipment for use by employees. The office 
equipment may include facsimile machines, copy machines, telephone systems, etc. These 
systems often use some form of access clearance prior to granting usage rights to an operator. 
For example, copy machines may require an operator to input certain types of information 
including a unique ID uniquely identifying the operator, prior to allowing the operator to use the 



copy machine. Facsimile machines, phone systems, printers, etc. may also be configured to 
require the operator to input their ID prior to granting usage rights. These systems are often 
connected to one or more monitoring systems, so that billing information, status and. usage 
information and/or maintenance information can be gathered and monitored. This information 
may then also be used by the present monitoring system to provide additional information 
regarding the location of an individual as well as information regarding office equipment usage 
habits of the individual that might be helpful in determining abnormal activity by the individual. 
Other types of office equipment to which the present disclosure may also be applied might 
include heating, vacuuming and air conditioning (HVAC) units which require a user to enter an 
ID prior to being allowed to r use the units. 

Fig. 1 5 depicts a block diagram of an office equipment system including various types of 
office equipment. As shown, the office equipment may include one or more facsimile machines 
1 20a- 1 20n. one or more copy machines 1 22a- 1 22n, one or more telephone units 1 24a- 1 24n, etc. 
Usage information from each machine or unit is communicated to the one or more monitoring 
systems 126 for collecting information regarding the usage of each system. The information 
might include the user ID information which the user is required to enter prior to being granted 
the right to use the piece of equipment. The information might also include information 
identifying the piece of equipment (e.g., a machine ID) and/or the location of the piece of 
equipment, as well as the date and time that usage was requested by the user and whether usage 
was granted or denied. The one or more monitoring systems 126 might be the same as the 
central monitoring station 4 described above, or might be separate therefrom. For example, 
monitoring system(s) 1 26 may simply provide data to central monitoring station 4 periodically or 
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in response to a request from the central monitoring station 4. For example, it will be 
appreciated that telephone units 124a-124n may be connected to a telephone exchange system 
(not shown) which includes a system that grants or denies access to the phone system subject to 
the user being authenticated and monitors the phone usage. The telephone system may then 
communicate access history information which may include information identifying the location 
of the telephone, date and time of access, the user requesting access, etc. This information can 
be forwarded to central monitoring station 4 in realtime, periodically or in response to a request 
from the central monitoring system 4. 

Log records can be compiled identifying what office equipment was accessed, when it 
was accessed, etc. The information being stored with the log records may include information 
identifying the type of each piece of office equipment being accessed and/or its location. An 
example of an Office Equipment Access Log is shown in Fig. 16. 

Office Equipment Access Log . 130 may include various types of information including 
identification information 132 identifying the individual that requested usage of a piece of office 
equipment. In this example, employee "John Wey's" office equipment access log is depicted. It 
will be appreciated that although depicted as one log, each type of office equipment might have 
its own log. In addition, it will be appreciated that the office equipment log information might be 
combined with one or more of the physical access log information and the IT access log 
information described above. Equipment ID 134 may be provided which uniquely identifies each 
piece of equipment. Type information 1 35 may be provided which identifies the actual type of 
equipment (facsimile, phone, copy machine, etc.) Location information 136 may be provided 
which identifies the location of the equipment. Time and Date information 138, 140 may be 
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provided which identifies the date and time that the office equipment was attempted to be 
accessed. Access allowed/denied information 142 may be provided for indicating whether the 
operator was granted or denied access to the office equipment. 

The office equipment usage information might also be used to provide additional 
information for the physical access log. For example, when an employee enters their ID code 
into a copier, facsimile machine, etc., information identifying the copier, facsimile machine 
(and/or the location of the copier, facsimile machine, etc) and information identifying the 
employee can be sent to the central monitoring station 4 to be stored in the employee's physical 
access log. 

The Office Equipment Access Log information 130 can also be presented to a user of the 
present system in an easy to comprehend visual format, providing additional information for 
monitoring the whereabouts and/or equipment usage habits of an individual. For example, as 
shown in Fig. 1 7 A, this information can be presented in a manner similar to the IT asset 
information as described above. As shown, information showing phone usage 160, information 
showing facsimile usage 162 and information showing copy machine usage 164 may be 
displayed in bar graph form. Each bar graph displays a users relative usage of each" type of 
equipment for each day in question. When a particular day is selected to view in more detail, 
moving cursor 200 and clicking on one of the bars 160-164 will present more detailed visual 
data. For example, clicking on bar 160 will display a bar graph 165 as shown in Fig. 17B that 
shows which phones the person in question used that particular day and the relative number of 
times the phone was used. Moving cursor 200 and clicking on one of the columns (e.g., column 
166), will present a display indicating the times that phone was used by the employee that day, as 



shown in Fig. 1 7C. The same type of bar graph displays can be provided for each type of office 
equipment. This provides security personnel with valuable information which can be used to 
trace an employee and view their usage habits of different types of office equipment. 

A video system may also be incorporated into the present system. Video security cameras 
are often set up at key points throughout a building or area. The video cameras may provide 
feeds to a central video monitoring station, where security personnel can visually monitor the 
areas. This video data can be stored and then retrieved by the present system. The video data is 
time stamped so that it can be synchronized with the other data being displayed by the present 
system. For example, the video from one or more video security cameras can be displayed in 
separate windows on display 2 along with the other information being displayed. The video can 
be presented as a full screen display, or as a small window on the display. 

A block diagram of an example of a video monitoring system is shown in Fig. 18. One or 
more video camera units 1 SOa-lSOn are provided at various key locations throughout a building 
or area. The video from each unit 180a-l 80n is communicated to one or more video storage 
systems 190. either via a wired or wireless connection, where it can be time stamped and stored. 
The monitoring system according to the present disclosure can then retrieve selected video from 
storage systems 1 90 as desired. A GUI can be provided allowing the operator to select one or 
more video feeds to view. 

Fig. 19 shows a display 2 including a video window 192 which displays a video feed. In 
this embodiment, the operator used the GUI to select to view security monitor "LABA" which is 
provided in the main lab in the building. The operator is viewing in window 192, a segment of 
video which occurred around 1 :05 am on March 22, 2002, as shown by boxes 62 and 70. The 
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video for the selected video camera can be retrieved from storage 190 and when the user presses 
start button 66. video for that time period can be displayed along with the physical access 
information being shown on the rest of the display. The video data can also be displayed in real 
time along with one or more of the physical access information, IT access information and the 
office equipment usage information. 

The present system and method can also display the physical accesses and/or IT accesses 
and/or office equipment usage information and/or video data in real time as they occur, giving 
the security department a powerful tool for monitoring personnel in the building or area. 

Of course, the present system may be arranged to display or visualize the use of any one 
or any combination of one or more of the various types of information described above. 

The present disclosure may be conveniently implemented using one or more conventional 
general purpose digital computers and/or servers programmed according to the teachings of the 
present specification. Appropriate software coding can readily be prepared based on the 
teachings of the present disclosure. The present disclosure may also be implemented by the 
preparation of application specific integrated circuits or by interconnecting an appropriate 
network of conventional component circuits. 

Numerous additional modifications and variations of the present disclosure are possible 
in view of the above-teachings. It is therefore to be understood that within the scope of the 
appended claims, the present disclosure may be practiced other than as specifically described 
herein. 
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